YubiKeys by Yubico provide two-factor authentication by USB

I've written a few times about two-factor authentication (2FA), where a password (something you know) is paired with a second item, like a device-generated token or one-time code sent via SMS (something you have). A password can be stolen or sometimes extracted, so a second factor makes it substantially more difficult for someone who lacks physical access to you or your stuff to break into one of your accounts. This restricts attackers from accomplishing wholesale attacks across thousands or millions of accounts, unless 2FA is badly implemented or attackers find an exploit.

While Apple has tried to take the pain out of 2FA through its trusted device approach with iCloud accounts, many people still believe this is too complicated for average users to employ. There needs to be something powerful, simple, and ubiquitously supported, they argue--as do I. Apple's solution only works for people fully embedded in Apple's ecosystem and only for some of Apple's services.

2FA apps, like Authy and Google Authenticator, are good alternatives if you're in frequent need of a second factor. They're relatively simple to set up, but they're still not for everyone. And even though I use such apps every day, I confess that I sigh as I walk through the several straightforward steps to pull up the necessary app and then type in a confirmation factor.

A new hope

There's hope for even greater simplicity, though, from the wonkily named FIDO Alliance U2F standard. FIDO (Fast IDentity Online) comprises a group of security, hardware, and online finance companies trying to set broad standards for better authentication; U2F stands for Universal 2nd Factor. U2F is built into hardware, like a USB dongle, that contains cryptographic hardware to provide the second okey-dokey for a login or session.

A U2F device is registered to a service or website, just like setting up code-based second-factor verification. The cryptographic handshake during registration ensures that only the key in the U2F device can be successfully used to answer a second-factor challenge in the future. In two versions I tested from Yubico, a hardware authentication device maker that is out in front on this technology, the circuitry is also tamper-resistent and its firmware can't be updated.

Instead of a keyfob or card that generates a time- or sequence-based key on a display that you then type in, a U2F key is plugged into the USB port of your device, such as a laptop, when you're going to log into an account. In some cases, plugging in the device is enough; with other devices, you may need to tap a button to send the information.

Yubico accomplishes this without drivers by masquerading its keys as USB keyboards. The OS recognizes the device, but then an app has to know how to communicate with the key to handle the right back and forth to accept the verification token. For mobile devices, this means a USB adapter for a standard Type A plug is needed.

Yubico's keys, the Premium Neo ($50), the Premium Neo-N ($60), and the FIDO U2F Special Security Key ($18) have a integral button. The Premium Neo includes NFC. (Yubico hopes Apple opens up its NFC support to allow direct NFC validation.) I tested the Neo-N and Special Security Key. The Neo-N is so tiny it's quite difficult to pull out of a deep USB port, and the Special Key has a keychain hole for ease of carrying.

Early backers

So far, there's little support as the standard and hardware are new, but Google is a backer of the spec, and lets you substitute a U2F key for other second-factor methods of authentication with a Google account when used via the Chrome browser in Mac OS X and on other platforms.

LastPass also supports U2F. It's very easy to implement, from all reports, and the broad participation in the FIDO Alliance's board by major firms means both the likelihood of wider support. Allowing U2F as a second factor doesn't close down other options for authentication. (Yubico has other key types that simply simulate typing a password, and which work more universally; some of its U2F-supporting hardware includes that functionality.)

A U2F key can be registered to multiple accounts and it can't be password protected. So it's as useful as an app, in that only a single piece of hardware is required to generate appropriate codes for multiple accounts. But it's as vulnerable as a security dongle, since mere possession obliterates the second-factor advantage. Someone who physically obtained your U2F key would still need your password or other first factor. An app or computer-based second factor can still be better, by requiring an ostensibly different password to unlock a computer or mobile device before obtaining the second factor.

Will U2F keys sweep the land? It's hard to imagine them becoming a required item on every keychain, but I dare say that they are so much simpler to use than anything currently outstanding, that they should sweep in another broader circle of users who won't be bothered with today's methods. If Apple opens up NFC access as is generally anticipated, such keys can become a touch-and-go second factor with even less fuss.

An update on Touch ID and compulsion

In my first Private I column, I mentioned that Touch ID had a problematic component: you could be compelled to unlock a device, either by force or by law. "An individual or agent of others who want some of your information must only get ahold of your device, ensure it hasn't been rebooted, and then be able to hold an appropriate digit still for long enough to validate one's fingerprint."

A few weeks later, a circuit court judge in America ruled that while one's own passwords were cannot be demanded during an investigation, as that is a form of self-incrimination and constitutionally protected, a fingerprint is not, even if it unlocks your data.

While that is one just one court, its decision is in line with more generally accepted notions that DNA, blood, and the like doesn't constitute self-incrimination.

Glenn Fleishman is the editor and publisher of The Magazine, a regular contributor to Boing Boing and the Economist, and a senior contributor to Macworld.

Join the CSO newsletter!

Error: Please check your email address.

Tags YubicoApple2FAGooglesecurity

More about AppleGoogleNFCPremium

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Glenn Fleishman

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place